fsverity: distinguish between verity missing and not supported

When measuring the verity, distinguish between fs-verity not being
enabled on the file, and the filesystem itself not supporting fs-verity.

Signed-off-by: Sanne Raymaekers <[email protected]>

Author: croissanne

crates/composefs/src/fsverity/ioctl.rs

@@ -107,9 +107,8 @@ pub(super) fn fs_ioc_measure_verity<H: FsVerityHashValue>(
             }
             Ok(digest.digest)
         }
-        Err(Errno::NODATA | Errno::NOTTY | Errno::OPNOTSUPP) => {
-            Err(MeasureVerityError::VerityMissing)
-        }
+        Err(Errno::NODATA) => Err(MeasureVerityError::VerityMissing),
+        Err(Errno::NOTTY | Errno::OPNOTSUPP) => Err(MeasureVerityError::FilesystemNotSupported),
         Err(Errno::OVERFLOW) => Err(MeasureVerityError::InvalidDigestSize {
             expected: digest.digest_size,
         }),
@@ -124,19 +123,29 @@ mod tests {
     use rustix::fd::FromRawFd;
     use tempfile::tempfile_in;
 
-    use crate::fsverity::Sha256HashValue;
+    use crate::{fsverity::Sha256HashValue, test::tempfile};
 
     use super::*;
 
     #[test]
     fn test_measure_verity_opt() {
-        let tf = tempfile::tempfile().unwrap();
+        let tf = tempfile();
         assert!(matches!(
             fs_ioc_measure_verity::<Sha256HashValue>(&tf),
             Err(MeasureVerityError::VerityMissing)
         ));
     }
 
+    #[test_with::path(/dev/shm)]
+    #[test]
+    fn test_measure_verity_not_supported() {
+        let tf = tempfile_in("/dev/shm").unwrap();
+        assert!(matches!(
+            fs_ioc_measure_verity::<Sha256HashValue>(&tf),
+            Err(MeasureVerityError::FilesystemNotSupported)
+        ));
+    }
+
     #[test_with::path(/dev/shm)]
     #[test]
     fn test_fs_ioc_enable_verity_wrong_fs() {

crates/composefs/src/fsverity/mod.rs

@@ -15,6 +15,8 @@ pub enum MeasureVerityError {
     Io(#[from] Error),
     #[error("fs-verity is not enabled on file")]
     VerityMissing,
+    #[error("fs-verity is not support by filesystem")]
+    FilesystemNotSupported,
     #[error("Expected algorithm {expected}, found {found}")]
     InvalidDigestAlgorithm { expected: u16, found: u16 },
     #[error("Expected digest size {expected}")]
@@ -110,7 +112,9 @@ pub fn measure_verity_opt<H: FsVerityHashValue>(
 ) -> Result<Option<H>, MeasureVerityError> {
     match ioctl::fs_ioc_measure_verity(fd) {
         Ok(result) => Ok(Some(result)),
-        Err(MeasureVerityError::VerityMissing) => Ok(None),
+        Err(MeasureVerityError::VerityMissing | MeasureVerityError::FilesystemNotSupported) => {
+            Ok(None)
+        }
         Err(other) => Err(other),
     }
 }
@@ -253,7 +257,7 @@ mod tests {
 
         assert!(matches!(
             measure_verity::<Sha256HashValue>(&tf).unwrap_err(),
-            MeasureVerityError::VerityMissing
+            MeasureVerityError::FilesystemNotSupported
         ));
 
         assert!(measure_verity_opt::<Sha256HashValue>(&tf)
@@ -262,7 +266,7 @@ mod tests {
 
         assert!(matches!(
             ensure_verity_equal(&tf, &Sha256HashValue::EMPTY).unwrap_err(),
-            CompareVerityError::Measure(MeasureVerityError::VerityMissing)
+            CompareVerityError::Measure(MeasureVerityError::FilesystemNotSupported)
         ));
     }